Product name Microsoft
Windows
Operating System
File name C:\WINDOWS\system32\wbem\wmiprvse.exe
Last policy update Not applicable
Version 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
Last modified date 2004/08/03 23:56:58
File size 213 KB
if yes,so why it was trying to do this?!:

hi and thanks,
but as i said it was trying to change or hijack the ZA,this is the question: why it was doing that kind of dangerous work???!

July 1st, 2006

f_kawashima

A case study

When I merely opened "INSTALL.LOG" and "ErrorLog.txt" with notepad.exe, a component of ZA Pro 6.1.744 (This occurred on 6.5.722 as well.) detected that vsmon.exe blocked the event (a file-writing) as if it was attempted by Windows Explorer. In stead, when I attempted to rename "INSTALL.LOG" and "ErrorLog.txt" within the directory, the below report was generated. I believe they are not sufficient reports because the given results were different from what I manipulated.

TROUBLESHOOTING: Try recalling on having done at the time of the log detection (2006/06/22 22:26:16+3:00 GMT) and reproducing the scene.

Overview Technical Info Details
Windows Explorer is trying to create or open a file.
The current security setting for Windows Explorer does not permit this action, or ZoneAlarm Pro is asking you whether to allow this behavior. Your computer is safe.

What should I do?
Windows Explorer has attempted to create or open a file on your system. This action is currently not permitted. If you trust this program and believe it requires a file to be created or opened then give it permission. If it does not need to create or open a file, or you know that a file should not be created or opened, then deny it.

Why?
Windows Explorer may be malicious. This is particularly true if the file being created or opened contains application or Windows settings, and changing these settings will affect the security of the system.

Windows Explorer is trying to create or open a file.
The current security setting for Windows Explorer does not permit this action, or ZoneAlarm Pro is asking you whether to allow this behavior. Your computer is safe.

Inside the OSFirewall alert

Alert property Alert property value Technical explanation
----------------- ------------------------- ---------------------------
Program Name Windows Explorer
A program running on your computer, which attempted an action that was detected by the OSFirewall.

Filename C:\WINDOWS\explorer.exe
The filename of the program that ZoneAlarm Pro found on your computer.

Program Size xxxxxxxxx
The size of the program executable file in bytes.

Program MD5 xxxxxxxxxxxxxxxxxxxxxxxxxx
The MD5 hash, or number, that uniquely identifies the executable.

Smart Checksum xxxxxxxxxxxxxxxxxxxxxx
The SKIMP hash, or number, that uniquely identifies the executable.

Date Modified
The date when C:\WINDOWS\explorer.exe was most recently modified.

File Pathname ZLDIR\zonealarm.exe
Fully qualified name of the file being written to.

Windows Explorer is trying to create or open a file.
The current security setting for Windows Explorer does not permit this action, or ZoneAlarm Pro is asking you whether to allow this behavior. Your computer is safe.

Details
ZoneAlarm Pro protects your system from the malicious creation or opening of files.

Malicious programs may attempt to create or open files on your system in order to disable or lower security settings, damage the operating system, or steal information about you or your system.

Due to these potential threats, only programs which have been given explicit permission to create or open files on your system will be allowed to do so.

July 2nd, 2006

SlyFox

Re: A case study

Hi,

VERY, VERY INTERESTING! PLEASE forward all this EXCELLENT info to Tech Support. Here is the direct link to them.

Thank you very much for your time and have a "GREAT DAY" or "EVENING"!

SlyFox:D

July 2nd, 2006

oldsod

Re: Dangerous!!please help...

The ZA is designed not to be tampered with by malware to enable the protection during the time of an infected PC. It would be useless if malware could invade it and promptly shut it completely off. Thus the ZA firewall, when it sensed an intruder, it just gave a warning out. CCleaner when set to delete ZA Logs will do the same. Some antispy sweeps will also interfer with the ZA "don't touch me". In this case it is a recognized Windows component and it is not a threat by any means. Not saying to ignore any future warnings, just to be aware of the nature of the alerts.

Thanks, that is actually a very nice write-up of the OSFirewall protection, and how it is used to protect the system (in this case ZA, but we also protect all critical Windows processes and more).

Marcus

July 6th, 2006

2nabote

Re: Dangerous!!please help...

I understand the purpose of the feature but I still don't understand if wmiprvse.exe should be attempting to updateZA assets. If yes, what's thepurpose?If not,what is the source of this attempt?The OS Firewall has blocked 52 attempts to update the same number of ZAfiles, ZAP, EXE, and DLL. Thanks.

July 6th, 2006

zxcvbnm

Re: Dangerous!!please help...

i have the file mentioned

can find any reason to worry
just monitor it and i will come back to you if i find more out

July 6th, 2006

oldsod

Re: Dangerous!!please help...

Simple answer is Windows must do this. Why? To know which drivers and files to load and use for bootups, keep the master file correct, so OS will function elegantly, operate smoothly with the kernel drivers of ZA, coordinate paths and their sequences of the OS amd additional software, arrange tasks, allow system restore to function properly and a few thousand other seen and unseen processes.